Millions of Computers, Still Vulnerable to BlueKeep RDP Flaw

Millions of windows systems are still unpatched and have been found vulnerable to a recently disclosed critical, worm-able, remote code execution vulnerability in the Windows Remote Desktop Protocol (RDP). If exploited, the vulnerability would allow the attacker to easily cause a global cyber-nightmare around the world, potentially much worse than what WannaCry and Petys/NotPetya like attacks did.
BlueKeep vulnerability “CVE-2019-0708”, affects Windows 2003, XP, Windows 7, Windows Server 2008 and 2008 R2 editions and could have a worm-like feature and spread automatically on unprotected systems.
The vulnerability could allow an unauthenticated, remote attacker to execute a payload and take control of a targeted computer just by sending specially crafted requests to the device’s Remote Desktop Service (RDS) via the RDP—without requiring any interaction from a user, Microsoft already released a security fix to address the vulnerability with its May 2019 Patch Tuesday updates.

However, the latest Internet scan revealed that, unfortunately, roughly 950,000 publicly “And the number is getting higher” accessible machines on the Internet are vulnerable to the BlueKeep bug.
This clearly means that even after the security patch is out, not every user and organization has deployed it to address the issue, posing a massive risk to individuals and organizations, including industrial and healthcare environments.

The BlueKeep vulnerability has so much potential to wreak havoc worldwide that it forced Microsoft to release patches for not only the supported Windows versions but also Windows XP, Windows Vista and Windows Server 2003, which no longer receive mainstream support from the company but are still widely used.

Not just researchers, but also malicious hackers and cybercriminals have started scanning the Internet for vulnerable Windows systems to target them with malware, this activity has been observed from exclusively Tor exit nodes and is likely being executed by a single actor.

However, luckily, so far, no security researcher has yet publicly published any proof-of-concept exploit code for BlueKeep, though a few of them have confirmed to have successfully developed a working exploit.

Recommended Actions:
Patch your systems the soonest. Or disable RDP services, if not required. Block port 3389 using a firewall or make it accessible only over a private VPN. Enable Network Level Authentication (NLA) – this is partial mitigation to prevent any unauthenticated attacker from exploiting this Wormable flaw.